Syslog-ng :: Filter internal logs
Hi,
I am trying to setup a test lab where there will be two syslog-ng (v2) servers. Each is sending it's own logs (host specific + internal syslog-ng) logs to the other syslog server. How can receiving host identify if it's a normal log or syslog-ng internal log? Thanks for help! |
What do you mean by “normal log”? You could define separate sources for the local logs and the ones received via network.
|
Thanks for reply! Sorry if I was not clear at first.
What I meant was -- SERVER1 will send its own syslog-ng's internal logs ( i.e. logs generated by syslog-ng daemon ) to SERVER2 in addition to normal logs ( i.e. logs under /var/log ). I want SERVER2 to be able to distinguish between SERVER1's internal logs and other logs from that system. I hope this will help. Thanks! |
Don’t enable udp in the normal source src {...}; statement, but make an extra one like:
Code:
source foobar { |
Thanks Reuti! But, SERVER1 will send all other types of log ( i.e. auth, kern, cron etc... ) as well as messages generated by driver 'internal()'. That's why I don't know how to distinguish between other/normal logs and 'internal' logs.
|
Perhaps "tag" the logs leaving Server1?
|
The internally generated ones are the ones with the program name syslog-ng for which you can define a filter, and the “-- MARK --” entries. You could also define two sources at SERVER1 and route them to two different ports at the destination.
|
Thanks for replies! I think I will be using some special port for syslog-ng internal() messages.
|
All times are GMT -5. The time now is 01:08 AM. |